Global Law Firm Motions to Eliminate Risk

 

Reams of Evidence

After running a proof of concept, Linklaters chose to purchase and roll out five Security Weaver solutions: Separations Enforcer, Emergency Repair, Process Auditor, Transaction Archive, and License Management. Security Weaver delivers the platform via SAP transports to install into development and quality assurance (QA) systems before running in production.

The firm started with Transaction Archive, which Butt says was up and running in production the day after the firm signed the contract. Transaction Archive — part of the Role Lifecycle Management set of solutions — gathers, compresses, stores, and analyzes SAP transaction code execution history, which customers then use to improve end-user management, training, and security.

Transaction Archive also eliminated the firm’s reliance on limited batches of sample data to flag SoD conflicts and to check transaction history. With complete visibility into user transaction code history, dating back 18 months since it rolled out the application, Linklaters can now instead run random spot checks on users to check compliance, set a baseline for specific roles, or better predict and manage licensing needs.

“I say that Transaction Archive is ‘GOLD’ because based on that user activity information we can now make numerous decisions by simply highlighting whether they really need their current access,” Butt says. “We didn’t truly understand the full impact of Transaction Archive until we started using the data. It is invaluable.”

 

Mitigation of Malfeasance

The Separations Enforcer application, which automates SoD checks, pairs well with Transaction Archive because the transaction execution data provides companies with more information to plug into the application’s function-based matrix to analyze, manage, and reduce conflicts. Reporting templates provide fast analysis and documented compliance. According to Butt, Linklaters is leaning heavily on the application to help expand a financial shared services center in Warsaw, Poland. “Separations Enforcer has helped divide roles so no one has more access than they need,” he says. “And by centralizing some of our finance functions by funneling all the work to one team, we have increased SoD exposure.”

Process Auditor and Emergency Repair likewise help ease a transition to shared services by delivering both process-based and role-based controls — the former installed for contractors, third-party vendors, and temporary users, while the latter provides users with spot access for a limited time frame (often referred to as a “firefighter” tool).

Butt says that Linklaters uses Process Auditor mostly for giving third-party users temporary SAP access. “We built controls to monitor access to the systems,” he says. “It’s like Transaction Archive in that it documents what people are doing in the system, but it also allowed us to build a control around that access so we are now alerted if users exceed their allotted transactions.”

Linklaters uses Emergency Repair primarily to grant temporary exceptional access to users who need it to perform functions beyond their usual duties and only for a specific time, such as month-end activities. Emergency Repair monitors and manages this access via the recording of all necessary approvals, the access itself, and the automatic removal of the access at the expiration of the pre-set time limit. Approvers and managers can then go into the system to approve the transaction log. Emergency Repair also includes customizable workflows, which gave Linklaters the flexibility to fit it to the firm’s particular requirements.

Like the other Security Weaver products, Emergency Repair is installed directly in the SAP system; this precludes the need to set up the emergency access under a separate account, like many competitors’ firefighter tools. “Because Emergency Repair provides access to the normal user ID for only the period requested, there is less work on the part of the auditor,” Butt says. “Our auditors have been thrilled with the risk control and the way we have used the application.”

 

Security Beyond a Reasonable Doubt

Butt says that a big benefit is how Transaction Archive, Separations Enforcer, and Emergency Repair work with an earlier installation of Security Weaver’s Role Recertification solution, which along with Separations Enforcer and Emergency Repair is in the Access Management suite. Role Recertification, as its name suggests, automates recertification for SAP user access, a traditionally labor-intensive project that organizations usually perform biannually as part of Sarbanes-Oxley regulations. The firm plans to use Role Recertification as a complementary solution with Transaction Archive, using data from the latter product to inform decisions surrounding recertification.

“Our finance manager is very keen on Role Recertification as a product that it will control access management,” Butt says. “As people change jobs within the organization or as we continue to centralize, this application will help us avoid access creep, which is where people by default keep the access they’ve had in the past. We will be able to recertify based on how active a user has been against certain transactions or against a particular role, which is how it works with Transaction Archive.”

The data from Transaction Archive has also informed Linklaters in its use of the License Management product. With such a rich supply of user access data combined with License Management’s role recommendation reports and automated role re-allocation features, Linklaters is better able to make informed decisions regarding current and future licensing needs.

 

The Verdict Is In

The Security Weaver platform touches nearly all the firm’s roughly 5,300 employees. Beyond finance and marketing users, this includes the 2,800 or so partners and lawyers who use employee self-service and other SAP ERP HCM functionality. Linklaters installed the five Security Weaver solutions in its controls suite in a relatively condensed timeline: only three months. The quick turnaround was due in part to the fact that the solutions were already running in a QA environment. The firm chose a controlled rollout because of resource allocation, but also to allow time to resolve any potential setbacks.

One minor challenge, according to Butt, was that the firm’s custom installation language didn’t work seamlessly with the SAP transports, but Security Weaver technical support worked with the internal Basis team at Linklaters to straighten out the problem. “The implementation was pretty easy, largely due to the proof of concept we ran beforehand,” Butt says. “We got through most of the issues before ever going into production.”

Having 18 months of data in Transaction Archive was a foundational springboard for how the firm transformed access management, license optimization, continuous controls, and security analytics in less than two years, according to Butt. “The main business reason for implementing Security Weaver was to reduce the risks that were highlighted by auditors, and a lot of the benefits we’ve seen — such as being able to highlight when users have access they shouldn’t, mitigating SoD exposure, and managing license adherence — all stem from Transaction Archive,” he says. “Once Transaction Archive starts to record transactions, everything else kind of spins off that.”